Analyst's Depot: Deception Detection Analysis

In the intelligence production process, we frequently grapple with incomplete and contradictory information. We strive to fill intelligence gaps and validate our existing data against other sources. This is precisely what we call AllSourceIntel (multi-source intelligence).

However, this is not always feasible. You may need to prepare a briefing or assessment for a decision-maker on a very short timeline, making multi-source verification impossible given your time and assets. Moreover, our archives may offer no historical record on the subject. In such situations, we are forced to produce SingleSourceIntel (single-source intelligence).

In this article, we will introduce "Deception Detection Analysis," a technique designed to mitigate the verification challenges and the risk of analyzing false information that arises when producing single-source intelligence. This technique was developed to systematically evaluate whether an adversary or target is engaged in deception—that is, whether they are intentionally providing misleading information to waste our resources and force us into poor decisions.

While it's wise to keep this technique in mind at all times, it is especially critical in certain situations:

This technique is built on seeking answers to specific questions organized by four mnemonics. To make them easy to remember and use, they are embedded in a simple phrase.

This is the step where we fundamentally question the adversary's capability and intent to deceive. We seek answers to the following:

Motive: What are the adversary's goals? What do they stand to gain by misleading us?

Opportunity: Do they have the appropriate channels and timing to deliver this deceptive information?

Means: Do they possess the technical capacity, resources, or personnel to create and execute a plausible deception scenario?

In this step, we analyze the adversary's behavioral patterns and seek answers to:

Is there any evidence that the adversary has conducted similar deception operations in the past?

Is the currently observed activity consistent with the adversary's known Tactics, Techniques, and Procedures (TTPs)?

This is the step where we place the information itself under the microscope.

How accurate and reliable are the reports from this source?

Does the information from this source conflict with data from other reliable sources?

This is where we assess how vulnerable the information source is to external influence.

How reliable is the source? Is it fed by a single channel?

Is it possible the source is being controlled or directed by the adversary, either unwittingly or under duress?

Naturally, the process does not end with answering the questions in these four categories. These answers must then be fed into a broader analytical process.

At this stage, we should establish a "deception hypothesis" and evaluate it using the Analysis of Competing Hypotheses (ACH). The option "the source is intentionally misleading us" is then weighed equally against other possible explanations (e.g., "the information is accurate," "the source is simply mistaken," etc.) to account for the presence or absence of evidence. This approach ensures that analysts systematically vet all possibilities based on evidence, rather than defaulting to the most probable scenario.

In conclusion, Deception Detection Analysis is a critical technique that compels a deep skepticism toward all evidence and resists accepting conclusions without solid proof. It is robust enough to be used on its own, even for the simple verification of open-source (OSINT) reporting. For us as analysts, it is a crucial method that facilitates the "assessment" (the information validation and reliability) phase of the broader analytical process.